Scribd
Upload
59 views13 pages

How To Create An ADMX Template - 4sysops

Uploaded by

divya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
59 views13 pages

How To Create An ADMX Template - 4sysops

Uploaded by

divya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

29/12/2023, 16:41 How to create an ADMX template – 4sysops

How to create an ADMX template


Home (https://4sysops.com) / Blog (https://4sysops.com/archives/) / How to create an ADMX template

4sysops - The online community for SysAdmins and DevOps

Riccardo Bicelli Mon, Sep 7 2020 (https://4sysops.com/archives/how-to-create-an-admx-template/)


group policy, deployment, active directory 1 

In this howto, I'll explain how to create a basic ADMX template from scratch
and use it in a working example. When I was writing my first application that
works with GPOs, at the point of writing my first ADMX template, I realized that
ADMX Migrator from Microsoft didn't work as expected. So I dug through offi‐
cial documentation, reverse engineered some existing templates, and found a
way to write my own templates.

 

Remove local admin rights, elevate apps for users bypassing UAC password prompts
Try Securden for free!! Ad

Contents C LO S E


01 ADMX template structure

https://4sysops.com/archives/how-to-create-an-admx-template/ 1/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

02 The VBScript LogonMessage.vbs

03 The ADMX template header

04 ADML language files

05 Template item: Enabled/Disabled

Consideration of used registry keys

06 Template Item: String Input

07 Template Item: Dropdown List

08 Final result

09 Conclusion

Author Recent Posts

 
Riccardo Bicelli (Https://4sysops.Com/Members/Riccardo-
Bicelli/)
Riccardo is a system administrator and software developer for small and mid-size busi‐
nesses in Italy.
(https://4s
ysops.‐
com/mem
bers/ric‐
cardo-
bicelli/)

ADMX template structure


ADMX is the last format of Administrative Template used in group policy manage‐ 
ment; it is the successor of ADM. A group policy is a setting that manipulates one or
more registry settings in the target computer. The ADMX template comprises one or

https://4sysops.com/archives/how-to-create-an-admx-template/ 2/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

more XML files that contain instructions for manipulating those registry settings.

FREE PC, Mac & Mobile Management - Desktop Sharing - Software Installation - Inventory
Download ManageEngine Endpoint Central now! Ad

As shown below, the typical tree structure of an ADMX template looks like this:
1. ───ADMXfiles
2. │ LogonMessageBox.admx
3. │ MyCompany.admx
4. │
 5. └───en-US 
6. LogonMessageBox.adml
7. MyCompany.adml

ADML files are language localization files, which are loaded by the Group Policy
Editor snap-in according to current locale settings.

Note that I created an additional template, MyCompany.admx/adml, which is a trick


for grouping policies in a custom category.

The VBScript LogonMessage.vbs


I chose to implement a simple script that shows a message box at the user's logon.
The message content, title, button sets, and icons are configurable via GPO. I chose
to use VBScript for demonstration purposes. In your projects, you can use your lan‐
guage of choice.

https://4sysops.com/archives/how-to-create-an-admx-template/ 3/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

Active Directory Management, Automated Provisioning, Delegation, Self-Password Reset


Download Adaxes now! Ad

Let's summarize what we will configure in the template:

Item Type Description


Logon Message Flag that enables the message box dis‐
Enable/Disable
Enable play at user logon
Logon Message
Text Text displayed on message box title bar
 Title 
Logon Message
Text Text displayed on message box body
Prompt
Logon Message Single choice from a
Buttons set of message box window
Buttons list
Logon Message Single choice from a
Icon displayed in message box window
Icon list

The ADMX template header


The opening of our ADMX template looks like this:
1. <policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.‐
com/GroupPolicy/2006/07/PolicyDefinitions">
2. 
3. <policyNamespaces>
4. <target prefix="MyCompLogonMessageBox" namespace="MyCompany.Lo‐
gonMessageBox" />

https://4sysops.com/archives/how-to-create-an-admx-template/ 4/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

5. <using prefix="mycompany" namespace="MyCompany.Policies.Com‐


mon" />
6. <using prefix="windows" namespace="Microsoft.Policies.Windows"
/>
7. </policyNamespaces>
8.
9. <resources minRequiredRevision="1.0" />
10. <categories>
11. <category name="CtMyCompLogonMessageBox"
displayName="$(string.CtmyCompLogonMessageBox)">
12. <parentCategory ref="mycompany:CtMyCompany" />
13. </category>
14. </categories>

The block contained in <policyDefinitions> can be considered the standard opening


of every template.

In <policyNamespaces>, besides the namespace Microsoft.Policies.Windows (which


should be considered mandatory), I added a reference to
MyCompany.Policies.Common; this is contained in MyCompany.admx file.

Using namespace is a strategy to reduce redundant information in your templates,


such as category name.

In the categories section, you can see the main category


 CtMyCompLogonMessageBox, which refers to the parent category CtMyCompany 
included in the MyCompany.Policies.Common namespace.

As a result, the Group Policy Editor includes settings that appear under
Administrative Templates\My Company\Logon Message Box.

ADML language files


The language file, which has an .adml extension, is used for translating strings and
presentation elements according to the current user locale. If you consider this snip‐
pet of MyCompany.admx:
1. <categories>
2. <category name="CtMyCompany" displayName="$(string.CtCategory‐
MyCompany)" />
3. </categories>

and its matching part in en-US\MyCompany.adml:



1. <stringTable>

https://4sysops.com/archives/how-to-create-an-admx-template/ 5/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

2. <string id="CtCategoryMyCompany">My Company</string>


3. </stringTable>

it is easy to understand how a reference is created.

Template item: Enabled/Disabled


The first example of a template item is Enabled/Disabled. In the <policies> section,
let's define a policy like this:
1. <policy name="LogonMessageBoxEnable" class="User"
displayName="$(string.LogonMessageBoxEnable)"
explainText="$(string.LogonMessageBoxEnable_Help)"
key="Software\Policies\MyCompany\LogonMessage" valueName="MessageEn‐
able">
2. <parentCategory ref="CtMyCompLogonMessageBox" />
3. <supportedOn ref="windows:SUPPORTED_WindowsVista" />
4. <enabledValue>
5. <decimal value="1" />
6. </enabledValue>
7. <disabledValue>
8. <delete />
9. </disabledValue>
10. </policy>

 The table below provides descriptions of policy attributes: 


Attribute
Explanation Possible Values
Name
A string, preferably without
name Unique name of the policy item.
spaces or special chars
Where to place the policy item, comput‐
class “Machine”, “User”, or “Both”
er, user, or both.
display‐ The name displayed in the GPMC snap- A reference to a string locat‐
Name in. ed in the ADML file
The long explanation text displayed in A reference to a string locat‐
explainText
the GPMC snap-in. ed in the ADML file
The relative path of the registry key. The
key A registry key path
path is relative to the class attribute.
valueName The registry value name. A string 

https://4sysops.com/archives/how-to-create-an-admx-template/ 6/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

The tag parentCategory refers to the category (folder) in GPMC. In this case, the
parent category is My Company\Logon Message Box.

The tag supportedOn refers to a Windows namespace (located in the


Windows.admx file), which contains references to every Windows product you can
support in your template.

The tags enabledValue and disabledValues contain the values that the registry key
will assume if the policy is enabled or disabled.

Possible values are listed in the table below:

Value Explanation
delete The registry key is deleted
decimal value = “%n” Where %n is a decimal number
String value = “%s” Where %s is a string

Consideration of used registry keys

Although you can manipulate any registry key as needed, it is advisable to use a
subkey under Software\Policies (e.g.,
Software\Policies\MyCompany\LogonMessage). These subkeys are locked by
the user editing the machine as part of the AD domain.
 

Template Item: String Input


This template item defines an input string entered by the user. Let's take the Logon
message title as an example:

You can enclose one or more items in tag elements.

The text item defines an input string. In the corresponding ADML file, we see a new
section called presentationTable, which is referred to by the presentation attribute in
the ADMX policy section:
1. <presentationTable>
2. <presentation id="LogonMessageBoxTitle">
3. <textBox refId="LogonMessageBoxTitle">
4. <label>Message Box Title:</label>
5. </textBox> 
6. </presentation>
7. </presentationTable>

https://4sysops.com/archives/how-to-create-an-admx-template/ 7/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

This syntax instructs the GPMC snap-in to interpret the text with ID
LogonMessageBoxTitle as a textbox.

(https://4sysops.com/wp-content/uploads/2020/09/GPMC-renders-as-textbox.png)

GPMC renders as textbox

Template Item: Dropdown List


This template item defines a dropdown list, from which users can select a single ele‐
ment. As an example, we'll use the Logon Message Icon:
1. <policy name="LogonMessageBoxIcon" class="User"
displayName="$(string.LogonMessageBoxIcon)" explainText="$(string.L‐
ogonMessageBoxIcon_Help)" presentation="$(presentation.LogonMessage‐
BoxIcon)" key="Software\Policies\MyCompany\LogonMessage">
 2. <parentCategory ref="CtMyCompLogonMessageBox" /> 
3. <supportedOn ref="windows:SUPPORTED_WindowsVista" />
4. <elements>
5. <enum id="LogonMessageBoxIcon" valueName="MessageIcon">
6. <item displayName="$(string.MessageIcon_Critical)">
7. <value>
8. <decimal value="16" />
9. </value>
10. </item>
11. <item displayName="$(string.MessageIcon_Question)">
12. <value>
13. <decimal value="32" />
14. </value>
15. </item>
16. <item displayName="$(string.MessageIcon_Exclamation)">
17. <value>
18. <decimal value="48" />
19. </value>
20. </item>
21. <item displayName="$(string.MessageIcon_Information)">

22. <value>
23. <decimal value="64" />

https://4sysops.com/archives/how-to-create-an-admx-template/ 8/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

24. </value>
25. </item>
26. </enum>
27. </elements>
28. </policy>

The enum tag contains various items, each of which represents an entry in the drop‐
down list. The corresponding presentation section in the ADML files look like this:
1. <presentation id="LogonMessageBoxIcon">
2. <dropdownList refId="LogonMessageBoxIcon"
noSort="true">Icon</dropdownList>
3. </presentation>

Below you can see the results of these instructions:

(https://4sysops.com/wp-content/up‐

loads/2020/09/GPMC-renders-a-drop‐

down-list.png)

 GPMC renders a dropdown 


list

Final result
You can put the ADMX templates in %WINDIR%\PolicyDefinitions or in the central
store, create a GPO object, and edit the policy settings regarding the message box
to add the LogonMessageBox.vbs script to user logon.

At user logon, you will see the message box with the settings defined in the policy:

Subscribe to 4sysops newsletter!

Email address

Subscribe

https://4sysops.com/archives/how-to-create-an-admx-template/ 9/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

(https://4sysops.com/wp-content/uploads/2020/09/The-

script-in-action.png)

The script in action

Conclusion
The ability to write ADMX templates can be useful in many Sysadmin/DevOps sce‐
narios. Now you can control your users' logon scripts if you want. For a deeper look
at this tutorial, see my github repo (https://github.com/rbicelli/example-admx-
template).

+2

(https://4sysops.com/members/paolo/)
 

Achieve rapid response and reliable recovery from ransomware attacks for data center- and cloud
Download Veeam Data Platform>> Ad

https://4sysops.com/archives/how-to-create-an-admx-template/ 10/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

Read the latest IT news and community updates!


(https://4sysops.com/activity/?
utm_source=4sysops&utm_medium=endpage&utm_campaign=activity)

Join our IT community and read articles without ads!


(https://4sysops.com/join/?
utm_source=4sysops&utm_medium=endpage&utm_campaign=NoAds)

Do you want to write for 4sysops? We are looking for new authors.
(https://4sysops.com/write-for-4sysops//?
utm_source=4sysops&utm_medium=endpage&utm_campaign=Author)

R E L AT E D A R T I C L E S

 (https://4sysops.com/archives/create-
(https://4sysops.com/archives/migrate-
(https://4sysops.com/archive
a-free-lab-for-microsoft- microsoft-entra-connect- playbook-examples/)
365-and-intune/) azure-ad-connect-to-a-
Ansible Playbook
new-server/)
Create a free lab for examples
Microsoft 365 and Intune Migrate Microsoft Entra (https://4sysops.com/archi
(https://4sysops.com/archives/create-
Connect (Azure AD playbook-examples/)
a-free-lab-for-microsoft- Connect) to a new server
365-and-intune/) (https://4sysops.com/archives/migrate-

(https://4sysops.com/archives/correct-update-order-for-vmware-vsphere-7-and-associated-
1 COMMENT
products/)
(https://4sysops.com/archives/userlock-control-user-logon-activity/)
Eric
2 years ago

Excellent tutorial! 
+1

https://4sysops.com/archives/how-to-create-an-admx-template/ 11/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

REPLY (HTTPS://4SYSOPS.COM/ARCHIVES/HOW-TO-CREATE-AN-ADMX-TEMPLATE/?

REPLYTOCOM=1074584#RESPOND)

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

Comment

Name *

 
Email*

Website

Notify me of followup comments via e-mail. You can also subscribe (https://4sysops.com/comment-
subscriptions/?srp=1557793&srk=125e4221f12cfb4a94bce2e06b44c1c2&sra=s&srsrc=f) without
commenting.

POST COMMENT

Receive new post notifications


https://4sysops.com/archives/how-to-create-an-admx-template/ 12/13
29/12/2023, 16:41 How to create an ADMX template – 4sysops

Subscribe to Newsletter

Email Address

Subscribe

Follow 4sysops

(http://twitter.com/4sysops/) (http://www.facebook.com/4sysops)

(https://www.linkedin.com/company/4sysops/) (https://4sysops.com/feed/)

 

© 4sysops 2006 - 2023


WindowsUpdatePreventer (https://4sysops.com/windowsupdatepreventer-for-windows)

https://4sysops.com/archives/how-to-create-an-admx-template/ 13/13

You might also like